“Have I been pwned?”: a force for good or evil?

A new website called “Have I been pwned?” will tell you if your email address was involved in an account-data theft, or hacking, of a website.

While that may sound great, the problem is that _any_ email address can be entered in the search field; it doesn’t have to belong to you. And that makes this “feature” of the website very interesting for people who like sticking their noses in other people’s business.

For example, entering the email address of any person I know enables me to see whether their LinkedIn account was compromised. But the information that their LinkedIn account was compromised is not what interests me. It is the fact that I now know that they are on LinkedIn.

Of course, if you really want to find this information, then it is possible to do so. But it would certainly be a lot harder without a search engine like “Have I been pwned?”. Additionally, compromised websites will nearly always email their users to inform them of the breach, urging them to change their passwords. Consequently, what would be the point of looking up your own address on “Have I been pwned?” if the compromised website has already informed you of the breach?

So is “Have I been pwned?” really a useful tool for security conscious internet users? Doubtful. Is it a time-saving search tool for amateur black hats and nosy people? Probably.

I don’t doubt that the website was created with the best intentions, but it still seems a bit… odd. And while there is an “opt-out” option, perhaps it would have been nicer to make it an “opt-in” version instead.

[UPDATE (d.d. 20170628)]

Today I noticed that the “Have I been pwned?” website now requires email verification before including sensitive websites in the search results. That’s much better. ;-)